Works seamlessly with complex Web 2.0 applications while you drive the Web browser

Non-intrusive, will not raise alarms or damage production sites

Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)

Configurable domains with wildcard support

Extensible framework for adding new checks

Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com.
Fiddler provides all of the rich functionality of a good Web/HTTP
proxy. With Fiddler you can capture all HTTP traffic, intercept and
modify, replay requests, and much much more. Fiddler provides the HTTP
proxy framework for Watcher to work in, allowing for seamless
integration with today’s complex Web 2.0 or Rich Internet Applications.
Watcher runs silently in the background while you drive your browser
and interact with the Web-application.

Watcher is built in C# as a
small framework with 30+ checks already included. It's built so that
new checks can be easily created to perform custom audits specific to
your organizational policies, or to perform more general-purpose
security assessments. Examples of the types of issues Watcher will
currently identify:

ASP.NET VIEWSTATE insecure configurations

JavaServer MyFaces ViewState without cryptographic protections

Cross-domain stylesheet and javascript references

User-controllable cross-domain references

User-controllable attribute values such as href, form action, etc.

User-controllable javascript events (e.g. onclick)

Cross-domain form POSTs

Insecure cookies which don't set the HTTPOnly or secure flags

Open redirects which can be abused by spammers and phishers

Insecure Flash object parameters useful for cross-site scripting

Insecure Flash crossdomain.xml

Insecure Silverlight clientaccesspolicy.xml

Charset declarations which could introduce vulnerability (non-UTF-8)

User-controllable charset declarations

Dangerous context-switching between HTTP and HTTPS

Insufficient use of cache-control headers when private data is concerned (e.g. no-store)